On Friday, March 10, it can only be imagined that countless
managers and CIOs of Canadian public companies breathed a sigh of
relief.
That day the Canadian Securities Administrators (CSA)
announced its intention to propose an alternative approach to
reporting on internal control over financial reporting.
While the new direction will feature several elements (with more
information to come from the CSA later this year), the one
receiving the most attention is the intended elimination of the
need for auditor attestation of an issuer's reporting on internal
control. (There were no material changes to management's
responsibilities.) Without auditor attestation, initial marketplace
thinking was that management, including CIOs, could take a more
relaxed approach to certification efforts. But as companies gain a
better understanding of the impact of removing auditor attestation,
the euphoria over this change will start to disappear.
The wake-up call
Consider the following scenario:
Sue, a fictional director and audit committee member, sits on
two different boards -- one is a publicly-traded company complying
with the U.S.-based Sarbanes-Oxley
Act (SOX), the other is a Canadian filer required to follow the
CSA rules.
When it comes to her comfort level in approving the Management
Discussion and Analysis Document (MD&A) for the SOX filer, she
has an audit opinion on internal controls on which to rely.
For the Canadian filer, however, she has no such comfort. She
only has knowledge of management's process for signing off on the
CSA requirements and the audit committee's oversight and monitoring
upon which to rely. She is, therefore, likely to ask "Given the
civil liability rules, how robust is that process?"
What this means for CIOs
John is the fictional CIO of the company above that must comply
with the Canadian CSA rules. With the potential move away from
auditor attestation, the general systems control (GSC), for which
John is responsible, will no longer bear the scrutiny of an
external audit. Who will the audit committee, CEO and CFO turn to
for assurance? Given that John influences and controls the
applications and GSC that permeate the organization and its
internal control environment, he is likely to be called upon for
answers on the state of IT internal controls over the financial
reporting environment.
With the organizational reliance on IT and the vast range of
internal controls throughout the business, John is likely to become
a large part of the due diligence process that management needs to
demonstrate to the marketplace and the CSA.
Experience suggests that an unreliable IT control environment
directly impacts an organization's current and future certification
activities.
To ensure the CEO, CFO and board can complete their sign-offs,
John needs to work with management to implement a robust
certification process. In 2006 he will need to ensure the required
IT controls are suitably designed. In 2007, John will also need to
ensure that the IT controls operate effectively. He must be
prepared to help management understand, test and document the
organization's application controls and GSC. He will also need to
help develop and implement a sustainable process for ongoing
compliance.
Learning from past mistakes
To help his organization with improved internal control
compliance activities and have some control over his scope, John
must understand the role he can play going forward and use the
lessons learned from his U.S.-based counterparts, such as :
-- Leverage a risk-based approach to focus effort and evidence
to scaled level of what matters most. (The CSA risk-based approach
may be more rationale-based and less formula/numeric intensive than
its U.S. counterpart.);
-- Ensure finance and business teams understand the role and
requirements of IT in certification;
-- Fully integrate business and technology teams for
certification;
-- Act now to complete either the assessment activities or
corrective actions
-- Avoid using too many, too few, or irrelevant IT controls;
-- Try to shoehorn a generic IT control framework rather than
customizing it;
-- Avoid unsustainable quick-fix solutions.
Three key considerations
While there are no hard and fast rules, organizations complying
with the CSA requirements need to build an efficient and effective
certification process. John needs to ensure this process will
provide sufficient assurance to the CFO, CEO, audit committee and
board that there are no material weaknesses in the IT control
environment over financial reporting. John may want to consider the
following three recommendations:
1. Develop a risk-based approach to IT internal control
compliance;
2. Apply this risk-based approach to application controls and GSC;
and,
3. Determine how to integrate the risk-based approach into the
organization's overall sustainable compliance program.
Step 1: Develop an IT risk-based approach
A risk-based approach enables John to focus his efforts on areas
of high risk and reduce attention on low risk areas. To develop
this approach, John must gain an understanding of, and risk rate,
his IT control environment and control objectives.
By asking a series of questions, John can classify the standard
areas of IT risk as "high, medium or low", and determine which ones
need to be included in his certification scope. The IT management
and operational control areas he should consider include: IT
management controls, program development/acquisition, program and
infrastructure changes, operations and access to data and systems.
Some questions he may want to ask include:
-- Management level context questions such as:
-- How does executive management know that IT is doing its
job?
-- What are the indicators of the IT operation's success/burn
rate?
-- How do executives know if IT is meeting business needs?
-- What is the awareness of IT control requirements?
-- IT operational questions such as:
-- How old, complex and stable is the technology environment
that supports the overall financial reporting process (including
systems that initiate transactions)?
-- Are there recent significant changes in IT leadership,
structure, technology or processes?
- How stable and robust are the IT operational processes and
related performance measures?
-- What is the nature of the process' s deployment
(centralized/decentralized)?
-- What is the process's impact on internal controls over
financial reporting?
By performing and substantiating this approach John begins to
build an internal controls assessment program, customized and
focused on key areas of concern. He can tailor the work effort
adopted and the amount of evidence collected for each objective
based on the risk ranking per the certification project
standards.
Step 2: Apply the IT risk-based approach
Next, John works with certification team members to identify
relevant applications included in the overall certification
process. They are typically related to the initiation, processing
and reporting of financial reporting matters. Within these
applications John's team can help the certification team identify
and apply a risk assessment to key application based on two
factors:
-- Nature of the key application control (embedded or
configurable)
-- Type of key application control (inherent/customized)
Addressing these factors, John is again able to align effort and
evidence with the risk rating. For instance, a standard key
application control within an off-the-shelf software package is
generally of lower inherent risk and requires a lesser amount of
assessment/evidence than that required for a highly developed
solution that users configure (pricing tables) or with customized
logic (revenue formulas based on statistical models).
Knowing which key applications are included in the certification
process, John can now focus on the underlying GSC related to the
key applications. Within the GSC area, John can turn his attention
to scaling the assessment activities and level of testing/evidence
to the degree of risk as defined in the IT risk-based approach. For
example, IT operations that have limited or no batch processing and
no shift transitions will likely find that these controls are
associated with lower risk ratings and thus lower scaled
documentation and testing.
Step 3: Develop a sustainable model
The assessment process is a lot of work and it is not going
away. John should therefore consider how to ease the work of today
as well as that of the future. He needs to give thought to a
sustainable working model for internal controls operation and
assessment, considering current remedial requirements and future
sustainability or trade-offs. By approaching remediation from an
operational perspective and slightly extending the effort, he may
be able to achieve certification compliance while optimizing
business processes and building them to satisfy other additional
business requirements.
A sustainable model should integrate ongoing compliance
activities within the daily business operations. As a result, the
business activities are tailored to meet the business risks and
needs (including compliance adherence, internal controls assessment
and evidence generation), as well as provide ongoing compliance and
management reporting for the effectiveness of internal
controls.
Admittedly, it may not be possible to develop a sustainable
process for every control area within the current year. The trick
is to ensure that informed and collaborative decisions are made
with regards to what is an immediate focus and what can wait.
In developing a sustainable compliance model, John should
contemplate how to build the assessment of controls into ongoing
operations by considering such steps as:
-- Introducing a customized control framework, such CobiT,
ISO17799, ITCG, etc.;
-- Building tailored IT processes based on IT process models
(ITIL, CMMI, etc.) and integrating a customized control
framework;
-- Integrating other business needs and compliance requirements
beyond certification into a consolidated solution;
-- Replacing manual controls with application controls to
achieve efficiencies;
-- Baselining application controls with year-over-year effort
dispersion; and
-- Embedding internal controls compliance into process changes,
projects and systems solutions prior to rollout.
The sanity check
By working closely with the rest of the management group, John
is able to ensure that his documentation and testing guidelines are
consistent with the organization's approach, making it less likely
that he will expend unnecessary resources or not do enough work to
support the findings.
By working with the others, John is also able to help formulate
a solid strategy that will deliver a higher level of comfort over
IT controls to the CFO, CEO, audit committee and board. In areas of
greater risk, he may want to consider working with or consulting
other groups (internal or external) to obtain an appropriate level
of comfort.
Using this process as a foundation, John is able to record and
document properly the rationale behind his approach and gain
specialist assistance where required.
A CIO's work is never done
As part of the organizational leadership, John needs to
understand and deliver on the certification expectations of the
board, audit committee, CEO and CFO. He needs to provide a
consistent and reliable IT processing environment and
assurance/evidence of its effectiveness. He will be called upon to
aid in developing and supporting solutions to manage current and
future organizational or departmental needs, in terms of
certification and beyond. In summary: John is responsible for
delivering on these expectations. Will he just meet the mark, or
take the opportunity to be an innovative and strategic solution
provider for his organization?
icon.
